Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus System Pro Infection


  • Please log in to reply
6 replies to this topic

#1 jimworzala

jimworzala

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 16 November 2009 - 11:55 AM

I am attempting to clean an infection from my mother's computer. I somehow got hers infected while trying to send info to your site about my infected computer (mine is clean now thanks to you :thumbsup: ). What happened was that I got a warning pop up that said :

Resident Shield Alert
Accessed file is infected
application cannot be executed
File avgcsrvx.exe is infected

Almost immediately, a new window popped up with Antivirus System Pro Alert saying that there was an infection and starting a scan for viruses. It kept popping up no matter what I did, so I shut down the system, restarted, and ran the Malwarebytes program that I had already previously installed. This stopped the popups, but I believe that the computer is still infected.

Since I had just gone through a similar experience, although with a different infection, I decided to run some of the programs that I had run for my infection on her computer, and then to contact you if it did not clear up the infection.

Here are the programs that I ran, in the order listed with a quick summary of the results, let me know what information you want me to send from these:

Malwarebytes Antimalware - found and removed 3 infected files and stopped the popups using old definitions
Malwarebytes Antimalware - found and removed 2 more infected files after updating definitions
SUPERAntispyware - found and removed 38 infected files
RootRepeal - stopped on BSOD almost immediately
Dr.Web CureIt - found HOSTS file modified and quarantined it, found and quarantined/moved 9 objects
gmer - found 4 Attached devices

After this I tried RootRepeal again, at first, it just restarted Windows, so I deleted the file, and recopied it from my flash drive and ran it again, this time it found :

Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF00EE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9A5A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF98C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==

Editted @ 1:30 PM CT
I just found instructions for removing Antivirus System pro elsewhere on the site and tried removing using Rkill and Malwarebytes. Malwarebytes ran and reported no infections, but based on other scans, I'm not so sure! Please advise!

Edited by jimworzala, 16 November 2009 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:24 AM

Posted 17 November 2009 - 10:49 PM

I'd still run this


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 jimworzala

jimworzala
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 18 November 2009 - 09:25 AM

I will need to cross town to my mother's house to run this, so it will take a little time. Also, please note that between the time that I posted, and the time of your reply, her computer restarted all by itself while I was reading other possible things to try from your archives. I have shut it down and disconnected it from the internet to avoid someone taking over the computer from outside. Is there anything else I need to run as well, or will it be safe to reconnect to the internet after running this?

#4 jimworzala

jimworzala
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 18 November 2009 - 11:43 AM

I left before getting a response from you about internet being safe, so I am taking a chance.

Here are the log results from Win32kDiag:

Running from: C:\Documents and Settings\HP_Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\HP_Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Here are the results from log.txt:

Volume in drive C is HP_PAVILION
Volume Serial Number is A07A-E8FE

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 04:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 04:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 04:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 04:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 79,649,173,504 bytes free

Edited by jimworzala, 18 November 2009 - 11:44 AM.


#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:24 AM

Posted 18 November 2009 - 06:55 PM

04/14/2008 04:41 AM 56,320 eventlog.dll

Your system is infected with a new rootkit variant that has become quite pervasive as evidenced by these entries:

The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will require the use of more powerful tools than we recommend in this forum.

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

Start a new topic and post your DDS log along with the results of the Log.txt from Post #4 reports in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If DDS will not run, then just post the results of the Log.txt. Be sure to include a note that you tried to follow the Prep Guide but were unable to get DDS to run. If you already downloaded Combofix, do not use it until instructed to do so by the Helper in that forum.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Edited by garmanma, 18 November 2009 - 06:57 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 jimworzala

jimworzala
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 18 November 2009 - 07:06 PM

Thank you for all of your help. Does the log entry that you listed mean that the computer has been infected since April of 2008?

In any case, my mother says she does not use the computer for much except email and does not mind if I do a reinstall, however she does not have a recovery disc, or an install cd. Without those, how do I go about this? I think I might be able to get a recovery disc from HP for $28, but is there a procedure that will ensure that it is a clean install?

Edited by jimworzala, 18 November 2009 - 11:00 PM.


#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:24 AM

Posted 19 November 2009 - 08:35 PM

is there a procedure that will ensure that it is a clean install?

Using the recovery disk will format the computer before installation which is sufficient

http://h10025.www1.hp.com/ewfrf/wc/documen...;product=376085
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users